Dangers of the Cloud: What Business Leaders Must Consider Before Allowing a Cloud Vendor to Side Step IT and Sourcing

UpperEdge_20141112_Cloud SolutionsThe promise of cloud solutions to improve speed to market, productivity, reliability, serviceability, and availability of business solutions are legitimate.  Currently, almost every provider offers its solutions in the cloud.  Cloud solution providers such as Salesforce, Workday, IBM, SAP, Oracle, and Microsoft are spending considerable sales and marketing dollars promoting the benefits of the delivered “as-a-service” model.  There are even providers such as Zuora, who offer a cloud-based platform to enable traditional businesses to run their business as a subscription.   All the hype is in the cloud and given the constant pressure on business leaders to create value, you can understand how often times these business leaders get lured into fast-track discussions with cloud vendors.  However, business leaders who are encouraged to evaluate and enter into a vendor relationship without the support and engagement of their IT partners and sourcing professionals would be wise to consider the following.

1. Incident Management:  IT organizations go to great lengths to create incident management organizations and infrastructure required to manage systems.  Any mission-critical solution, internally hosted or hosted via the cloud, should be integrated into these processes, including associated severity management, reporting, root cause and remediation protocols.

2. Change Management:  The release and change management processes of an IT organization are designed to mitigate the inherent risk of introducing change into business systems or infrastructure, alignment of outage windows, and restriction of emergency changes.  Without the engagement of IT, alignment to these policies will not occur and your expectations as a business leader will not be met.

3. Security Management:  The security posture of many organizations, particularly those with PCI, PHI or PII data has increased to the point where CIOs are required to provide readouts to their Audit Committees and Board of Directors on a regular basis.  The enhanced business practices being implemented by your CIOs, including vulnerability management, periodic access reviews and data encryption requirements must be met by your solution provider.

4. Disaster Recovery:  As part of your selection process, determining the criticality of the application, associated recovery time objectives and evaluation of the vendor’s infrastructure and operational procedures will require the engagement and expertise of your IT partners.  All cloud-based solutions should be evaluated in the context of your organization’s business continuity plan.

5. System Integration & Maintenance:  In many cases, the standalone capability of a cloud solution does not represent the fully optimized end state of a company’s business process. Full optimization often requires integration with legacy or other third party solutions that will eventually require the support and ongoing maintenance of IT.

6. Sourcing & Contract Management:  Negotiation of the commercial terms associated with cloud-based solutions extends well beyond the negotiation of a user fee per month.  The contract structure must define the obligations of the vendor and show how they align with the operational requirements of your enterprise. In addition, the contract structure should enable your ongoing strategy for proactively managing the vendor relationship and the underlying contract.

7. Financial Management:  Despite the budget scrutiny associated with the hardware/ software maintenance and SaaS expense within their P&Ls, responsible CIOs go to great lengths to consolidate maintenance/SaaS fees at an enterprise level in order to increase transparency and drive vendors to decrease costs.  Business leaders should use caution when using their expense budgets for cloud solutions as decentralized budgets and sourcing approaches will allow the vendor community to divide and conquer your enterprise, negating any potential benefits associated with economies of scale and scope.

The professional practices of IT organizations are all too often not understood or undervalued by business colleagues; many times for good reason based on prior performance.  Before placing blind faith in a vendor cloud solution, business leaders should leverage the capabilities of their IT partners and sourcing professionals to ensure the benefits of these solutions are not offset by associated risks.

In addition, the number of recent security and data breaches occurring within the marketplace highlights the full range of enterprise weaknesses and the associated vulnerabilities.   The likelihood of cyber attacks continues to rise and given what is at stake, CIOs should make it a top priority to have a contractual risk review conducted of all their existing cloud-based agreements in order to determine any operational and security-related gaps.  The effort should be led by the IT sourcing team and complemented by subject matter experts.

Please feel free to leave a comment and do not hesitate to contact me at [email protected] with any feedback or inquiries.